Planet Networking & Communication VRT-311 Скачать руководство пользователя страница 106

Страница: 106 / 147

Broadband VPN Router User

’

s Manual

102

Figure83: Key Exchange Security Methods

34. Select the first entry, and click the "Edit" button to see the following screen.

Figure84: IKE Security Algorithms

35. Select "SHA1" for

Integrity Algorithm

, "3DES" for

Encryption algorithm

, and "Low(1)"

for the

Diffie-Hellman Group

36. Click "OK" to save, then "OK" again, and then "Close" to return to the

Local Security

Settings

screen.

37. Right click the

DUT to Win2K Policy

and select "Assign" to make your policy active.

Figure85: Windows 2000/XP Client to VRT-311 / VRT-311S

Configuration is now complete.

Содержание VRT-311

Страница 1: ...Broadband VPN Router VRT 311 VRT 311S User s Manual ...

Страница 2: ...anual is accurate PLANET dis claims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent a commitment on the part of PLANET PLANET assumes no responsibility for any inaccuracies that may be contained in this User s Manual PLANET makes no commitment to update or keep current the information in...

Страница 3: ...Unix Systems 30 CHAPTER 5 OPERATION AND STATUS 31 Operation 31 Status Screen 31 Connection Status PPPoE 33 Connection Status PPTP 35 Connection Status Telstra Big Pond 36 Connection Details SingTel RAS 37 Connection Details Fixed Dynamic IP Address 39 CHAPTER 6 INTERNET FEATURES 41 Overview 41 WAN Port Configuration 42 Advanced Internet 45 Dynamic DNS Domain Name Server 49 Virtual Servers 51 Optio...

Страница 4: ...ent Database 113 Status Screen 115 Windows Client Setup 116 CHAPTER 10 OTHER FEATURES SETTINGS 124 Overview 124 Config File 125 Network Diagnostics 126 PC Database 127 Remote Administration 131 Routing 133 Upgrade Firmware 138 UPnP 139 APPENDIX A TROUBLESHOOTING 140 Overview 140 General Problems 140 Internet Access 140 APPENDIX B SPECIFICATIONS 142 VRT 311 VRT 311S 142 FCC Statement 142 CE Marking...

Страница 5: ... while being easy to use Internet Access Features Shared Internet Access All users on the LAN or WLAN can access the Internet through VRT 311 VRT 311S using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NAT Network Ad dress Translation DSL Cable Modem Support VRT 311 VRT 311S has a 100BaseT Ethernet port for connecting a DS...

Страница 6: ...ndesirable Web sites by LAN users Internet Access Log See which Internet connections have been made VPN Pass through Support PCs with VPN Virtual Private Networking software using PPTP L2TP and IPSec are transparently supported no configuration is required LAN Features 3 Port Switching Hub VRT 311 VRT 311S incorporates a 3 port 10 100BaseT switching hub making it easy to create or extend your LAN ...

Страница 7: ...attacks Rule based Policy Firewall To provide additional protection against malicious pack ets you can define your own firewall rules This can also be used to control the Internet services available to LAN users IPSec VPN Gateway Features IPSec Support for IPSec standards including IKE and certificates Tunnels Up to 100 VPN tunnels can be created for VRT 311 and up to 10 VPN tunnels can be created...

Страница 8: ...onding LAN hub port Flashing Data is being transmitted or received via the corre sponding LAN hub port 100 On Corresponding LAN hub port is using 100BaseT Off Corresponding LAN hub port connection is using 10BaseT or no active connection DMZ LNK ACT On DMZ port is active Off No active connection to the DMZ port Flashing Data is being transmitted or received via the DMZ port 100 On DMZ port is usin...

Страница 9: ...duction 5 Off No connection to a modem on the WAN Internet port Flashing Data is being transmitted or received via the WAN port PPPoE For VRT 311 only On PPPoE connection established Off No PPPoE connection ...

Страница 10: ...fault values WAN port 10 100BaseT Connect the DSL or Cable Modem here If your modem came with a cable use the supplied cable Otherwise use a standard LAN cable DMZ port PCs or devices connected to the DMZ port are isolated from the LAN If you have a server you wish to make available to the public you can connect it here To use multiple servers use a standard LAN cable to connect the DMZ port to a ...

Страница 11: ...or other networking protocols to connect to PCs on the DMZ The connection must be made via the Internet PCs connected to the DMZ port still share the WAN port IP address for Internet access To make PCs on the DMZ port available from the Internet the Virtual Server Port Forwarding feature must be configured to send incoming traffic to the appropriate server Advantages of the DMZ Port If running any...

Страница 12: ...ram 1 Choose an Installation Site Select a suitable place on the network to install VRT 311 VRT 311S Ensure VRT 311 VRT 311S and the DSL Cable modem are powered OFF 2 Connect LAN Cables Use standard LAN cables to connect PCs to the Switching Hub ports on VRT 311 VRT 311S Both 10BaseT and 100BaseT connections can be used simultaneously If required you can connect any LAN port to another Hub Any LAN...

Страница 13: ...ard LAN cable 4 Power Up Power on the Broadband modem Connect the supplied power adapter to VRT 311 VRT 311S and power up Use only the power adapter provided Using a different one may cause hardware damage 5 Check the LEDs The Power LED should be ON The Status LED should blink during start up then turn Off If it stays on there is a hard ware error For each LAN PC connection the LAN Link Act LED sh...

Страница 14: ... locate detailed instructions for the required functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check VRT 311 VRT 311S operation and Status Chapter 5 Operation and Status Use any of the following Internet features WAN Port Advanced Setup Dynamic DNS Virtual Servers Options Chapter 6 Internet Features Change any of the following Security related settings Admin Logi...

Страница 15: ...ion Before attempting to configure VRT 311 VRT 311S please ensure that Your PC can establish a physical connection to VRT 311 VRT 311S The PC and VRT 311 VRT 311S must be directly connected using the Hub ports on VRT 311 VRT 311S or on the same LAN segment VRT 311 VRT 311S must be installed and powered ON If VRT 311 VRT 311S s default IP Address 192 168 0 1 is already used by another device the ot...

Страница 16: ... connection is OK and it is powered ON You can test the connection by using the Ping command Open the MS DOS window or command prompt window Enter the command ping 192 168 0 1 If no response is received either the connection is not working or your PC s IP address is not compatible with VRT 311 VRT 311S s IP Ad dress See next item If your PC is using a fixed IP Address its IP Address must be within...

Страница 17: ...tup 13 These are the default values Both the name and password can and should be changed using the Admin Login screen Once you have changed either the name or the password you must use the current values ...

Страница 18: ...ne MAC ad dress button to copy the MAC address from your PC to VRT 311 VRT 311S Common Connection Types Cable Modems Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular Hostname Domain name or MAC physical address Static Fixed IP Address Your ISP allocates a perm...

Страница 19: ...ss is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular Hostname Domain name or MAC physical address Static Fixed IP Address Your ISP allocates a perma nent IP Address to you IP Address allocated to you mask and gateway if provided and DNS address Big Pond Cable Australia For this connection method the following data is required...

Страница 20: ...reen Navigation Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have made You must Save before changing screens or your data will be ignored On each screen clicking the Help button will display help for that screen From any help screen you can access the list o...

Страница 21: ...ue as the PCs on that LAN segment DHCP Server If Enabled VRT 311 VRT 311S will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommended value is Enabled If you are already using a DHCP Server this setting must be Disabled and the existing DHCP server must be re configured to treat VRT 311 VRT 311S as the default Gateway See the following section for furt...

Страница 22: ...ver on your LAN Using VRT 311 VRT 311S s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable VRT 311 VRT 311S s DHCP Server function Set the range of IP Addresses allocated to PCs by the DHCP Server function You can assign Fixed IP Addresses to some devices while using DHCP provided that the Fixed IP Addresses are NOT with...

Страница 23: ...ach PC TCP IP Settings Overview If using the default VRT 311 VRT 311S settings and the default Win dows TCP IP settings no changes need to be made By default VRT 311 VRT 311S will act as a DHCP Server automatically providing a suitable IP Address and related information to each PC when the PC boots For all non Server versions of Windows the default TCP IP setting is to act as a DHCP client If usin...

Страница 24: ...e the following Figure 11 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windows setting Using this is recommended By default VRT 311 VRT 311S will act as a DHCP Server Restart your PC to ensure it obtains an IP Address from VRT 311 VRT 311S Using Specify an IP Address If you...

Страница 25: ... administrator can advise you of the IP Address they assigned to VRT 311 VRT 311S Figure 32 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search Order list is empty enter the DNS address provided by your ISP in the fields beside the Add button then click Add Figure 3 DNS Tab Win 95 98 ...

Страница 26: ...NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 14 Windows NT4 0 TCP IP 2 Click the Properties button to see a screen like the one below Figure 15 Windows NT4 0 IP Address 3 Select the network card for your LAN ...

Страница 27: ... administrator before making the following changes 1 The Default Gateway must be set to the IP address of VRT 311 VRT 311S To set this Click the Advanced button on the screen above On the following screen click the Add button in the Gateways panel and enter VRT 311 VRT 311S s IP address as shown in Figure below If necessary use the Up button to make VRT 311 VRT 311S the first entry in the Gateways...

Страница 28: ...Broadband VPN Router User s Manual 24 Figure17 Windows NT4 0 DNS ...

Страница 29: ...Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure18 Network Configuration Win 2000 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following Figure19 TCP IP Properties Win 2000 ...

Страница 30: ...obtains an IP Address from VRT 311 VRT 311S Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following changes Enter VRT 311 VRT 311S s IP address in the Default gateway field and click OK Your LAN administrator can advise you of the IP Address they assigned to VRT 311 VRT 311S If the DNS Server fields ar...

Страница 31: ...Connection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure20 Network Configuration Windows XP 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following ...

Страница 32: ...ensure it obtains an IP Address from VRT 311 VRT 311S Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following changes In the Default gateway field enter VRT 311 VRT 311S s IP address and click OK Your LAN administrator can advise you of the IP Address they assigned to VRT 311 VRT 311S If the DNS Server...

Страница 33: ... Internet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on the New Connection Wizard screen 6 Select Connect to the Internet and click Next 7 Select Set up my connection manually and click Next 8 Check Connect using a broadband connection that is always on and click ...

Страница 34: ...g any changes Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default Gateway to the IP Address of VRT 311 VRT 311S Ensure your DNS Name server settings are correct To act as a DHCP Client recommended The procedure below may vary according to your version of Linux a...

Страница 35: ... receives an incoming connection Refer to Chapter 6 Internet Features for further de tails Applications which use non standard connections or port numbers may be blocked by VRT 311 VRT 311S s built in firewall You can define such applications as Special Ap plications to allow them to function normally Refer to Chapter 6 Internet Features for further details Some non standard applications may requi...

Страница 36: ...net Mask for the IP Address above DHCP Server This shows the status of the DHCP Server function either En abled or Disabled For additional information about the PCs on your LAN and the IP addresses allocated to them use the PC Database option on the Other menu System Device Name This displays the current name of VRT 311 VRT 311S Firmware Version The current version of the firmware installed in VRT...

Страница 37: ...ce as seen by Internet users This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above PPPoE Link Status This indicates whether or not the connection is currently estab lished If the connection does not exist the Connect button can be used to establish a connection If the connection currently exists the Disconnect button can ...

Страница 38: ...a PPP con nection PPP up successfully Able to login to ISP s Server and establish a PPP connection Idle time out reached The connection has been idle for the time period specified in the Idle Time out field The connection will now be termi nated Disconnecting The current connection is being terminated due to either the Idle Time out above or Disconnect button being clicked Error Remote Server not ...

Страница 39: ...this device as seen by Internet users This address is allocated by your ISP Internet Service Provider PPTP Status This indicates whether or not the connection is currently established If the connection does not exist the Connect button can be used to establish a connection If the connection currently exists the Disconnect button can be used to break the connection Connection Log Connection Log The...

Страница 40: ...as seen by remote devices This is different to the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Connection Status This indicates whether or not the connection is currently estab lished If the connection does not exist the Connect button can be used to establish a ...

Страница 41: ...ction Clear Log Delete all data currently in the Log This will make it easier to read new messages Refresh Update the data on screen Connection Details SingTel RAS If using the SingTel RAS access method a screen like the following example will be displayed when the Connection Details button is clicked Figure26 Connection Details SingTel RAS Data SingTel RAS Screen Internet RAS Plan The RAS Plan wh...

Страница 42: ...r will expire The lease is automatically renewed on expiry use the Renew button if you wish to manually renew the lease immediately Buttons Release Renew Button will display EITHER Release OR Renew This button is only useful if the IP address shown above is allocated automatically on connection Dynamic IP address If you have a Fixed Static IP address this button has no effect If the ISP s DHCP Ser...

Страница 43: ...efault Gateway The IP Address of the remote Gateway or Router associated with the IP Address above DNS IP Address The IP Address of the Domain Name Server which is currently used DHCP Client This will show Enabled or Disabled depending on whether or not this device is functioning as a DHCP client If Enabled the Remaining lease time field indicates when the IP Address allocated by the DHCP Server w...

Страница 44: ... attempt to re establish the connection and obtain an IP Address from the ISP s DHCP Server If an IP Address has been allocated to VRT 311 VRT 311S by the ISP s DHCP Server this button will say Release Clicking the Release button will break the connection and release the IP Address Refresh Update the data shown on screen ...

Страница 45: ...en and how to use VRT 311 VRT 311S s Internet Features Overview The following advanced features are provided WAN Port Confuguration Advanced Internet Communication Applications Special Applications Multi DMZ URL filter Dynamic DNS Virtual Servers Options 6 ...

Страница 46: ...your ISP requests that you use a particular Hostname enter it here Domain name If your ISP provided a domain name enter it here Otherwise this may be left blank MAC Address Also called Network Adapter Address or Physical Address This is a low level identifier as seen from the WAN port Normally there is no need to change this but some ISPs require a particular value often that of the PC initially u...

Страница 47: ...lation is the technology which allows all PCs on your LAN to share the Internet IP address allocated to the WAN port on this Router From the Internet all PCs appear to have the same IP address For normal operation this setting must be ENABLED Disable NAT Disabling NAT will disable Internet access unless all PCs have valid Internet IP addresses If you wish to use this device for Routing ONLY and NO...

Страница 48: ...y select the RAS plan you are on Server Address If using PPTP or Big Pond Cable enter the address of your ISP s server For PPPoE or SingTel RAS the Server address in not required Connection behavior Select the desired option Automatic Connect Disconnect An Internet connection is automatically made when required and disconnected when idle for the time period specified by the Auto disconnect Idle Ti...

Страница 49: ...transparently by VRT 311 VRT 311S But sometimes it is not clear which PC should receive an incoming connection This problem could arise with the Communication Applications listed on this screen If this problem arises you can use this screen to set which PC should receive an incoming connection as described below Communication Applications Select an Application This lists applications which may gen...

Страница 50: ... blocked by VRT 311 VRT 311S s firewall In this case you can define the application as a Special Application Special Applications Screen This screen can be reached by clicking the Special Applications button on the Advanced Inter net screen You can then define your Special Applications You will need detailed information about the application this is normally available from the supplier of the appl...

Страница 51: ...Special Applications screen as required On your PC use the application normally Remember that only one 1 PC can use each Special application at any time Also when 1 PC is finished using a particular Special Ap plication there may need to be a Time out before another PC can use the same Special Application The Time out period may be up to 3 minutes If an application still cannot function correctly ...

Страница 52: ...reen to access the URL Filter screen An example screen is shown below Figure31 URL Filter Screen Data URL Filter Screen Filter Strings Current Entries This lists any existing entries If you have not entered any values this list will be empty Add Filter String To add an entry to the list enter it here and click the Add button An entry may be a Domain name e g www trash com or simply a string e g ad...

Страница 53: ...nt IP Address is recorded and updated at the DDNS server If the DDNS Service provides software to perform this IP address update you should disable the Update function or not use the software at all 5 From the Internet users will be able to connect to your Virtual Servers or DMZ PC using your Domain name as shown on this screen Dynamic DNS Screen Select Internet on the main menu then Dynamic DNS t...

Страница 54: ...me Enter your Username for the DDNS Service Password Key Enter your current password for the DDNS Service Domain Name Enter the domain name allocated to you by the DDNS Service If you have more than one name enter the name you wish to use DDNS Status This message is returned by the DDNS Server Normally this message should be something like Update suc cessful or IP address updated If the message in...

Страница 55: ...n both Internet users are connecting to the same IP Address but using different protocols To Internet users all virtual Servers on your LAN have the same IP Address This IP Address is allocated by your ISP This address should be static rather than dynamic to make it easier for Internet users to con nect to your Servers However you can use the DDNS Dynamic DNS feature to allow users to connect to y...

Страница 56: ...vers providing a quick and convenient method to set up the common server types Data Virtual Servers Screen Servers Servers This lists a number of pre defined Servers plus any Servers you have defined Details of the selected Server are shown in the Prop erties area Properties Enable Use this to Enable or Disable support for this Server as required If Enabled any incoming connections will be forward...

Страница 57: ...tions This screen allows advanced users to enter or change a number of settings For normal opera tion there is no need to use this screen or change any settings Figure35 Options Screen Data Options Screen Backup DNS IP Address Enter the IP Address of the DNS Domain Name Servers here These DNS will be used only if the primary DNS is unavailable MTU MTU size MTU Maximum Transmission Unit value shoul...

Страница 58: ...l Security Options Scheduling Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT 311 VRT 311S Figure36 Admin Login Screen 1 The default login name is admin Change this to the desired value 2 The default password is blank no password Enter the desired password in the New Password and Verify Password fields 3 Save your changes You will see a login prompt...

Страница 59: ...Security Configuration 55 Figure37 Password Dialog Enter the User Name and Password you set on the Admin Login screen above ...

Страница 60: ...et the desired restrictions on the Default group All PCs are in the Default group unless explicitly moved to another group 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group 4 as needed 3 Assign PC to the groups as required Restrictions are imposed by blocking Services or types of connections All common Services are pre defined If required you can also define your...

Страница 61: ...oup Block selected Services You can select which Services are to block Use this to gain fine control over the Internet access for a group Block by Schedule If Internet access is being blocked you can choose to apply the blocking only during scheduled times If access is not blocked no Scheduling is possible and this setting has no effect To define the schedule use the Schedule option on the menu Se...

Страница 62: ...Broadband VPN Router User s Manual 58 Clear Log Click this to clear and restart the Access Control log making new entries easier to read ...

Страница 63: ...fault group Access Control Log To check the operation of the Access Control feature an Access Control Log is provided Click the View Log button on the Access Control screen to view this log This log shows attempted Internet accesses which have been blocked by the Access Control function Data shown in this log is as follows Date Time Date and Time of the attempted access Name If known the name of t...

Страница 64: ... for advanced administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a screen like the following example This example contains two 2 rules for outgoing traffic Since the default rule for outgoing LAN WAN traffic is Allow having an Allow rule for LAN WAN only makes sense in combination with another rule For example the screen below shows a rule blockin...

Страница 65: ... section for more details Edit To Edit or modify an existing rule select it and click the Edit button Move There are 2 ways to change the order of rules Use the up and down indicators on the right to move the selected rule You must confirm your changes by clicking OK If you change your mind before clicking OK click Cancel to reverse your changes Click Move to directly specify a new location for th...

Страница 66: ...desired option Source IP These settings determine which traffic based on their source IP address is covered by this rule Select the desired option Any All traffic from the source port is covered by this rule Single address Enter the required IP address in the Start IP address field You can ignore the Subnet Mask field Range address If this option is selected you must complete both the Start IP add...

Страница 67: ... IP address and Finish IP address fields You can ignore the Subnet Mask field Subnet address If this option is selected enter the required mask in the Subnet Mask field Services Select the desired Service or Services This determines which packets are covered by this rule based on the protocol TPC or UDP and port number If necessary you can define a new Ser vice on the Services screen by defining t...

Страница 68: ... 311S This data is useful for troubleshooting but enabling all logs will generate a large amount of data and adversely affect performance Since only a limited amount of log data can be stored in VRT 311 VRT 311S log data can also be E mailed to your PC or sent to a Syslog Server Figure42 Logs Screen ...

Страница 69: ...ics Because most connections are logged the logs will still be large Selected Traffic only This selection will reduce the size of the log considerably Only HTTP connections are logged Select the traffic you wish to include Attempted access to blocked sites This will only log Web connections which are blocked by the URL filter Websites and news groups This logs successful allowed connections to Web...

Страница 70: ...e Timezone Select the correct Timezone for your location This is required for the date time shown on the logs to be correct Syslog Server Enable Syslog If enabled log data will be sent to your Syslog Server Syslog Server Enter the IP address of your Syslog Server Include Select the logs you wish to be included in the data sent to the Syslog Server ...

Страница 71: ...l address settings on this screen Include Select the log items to be included in the E mail Send Select the desired option for sending the log by E mail When log is full The time is not fixed The log will be sent when the log is full which will depend on the volume of traf fic Every day Every Monday The log is sent on the interval specified If Every day is selected the log is sent at the time spec...

Страница 72: ...s address as the Sender s address Subject Enter the text string to be shown in the Subject field for the E mail SMTP Server Enter the address or address or IP address of the SMTP Simple Mail Transport Protocol Server you use for outgoing E mail Port No Enter the port number used to connect to the SMTP Server The default value is 25 ...

Страница 73: ... can not use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP packets are valid but collectively they become a DoS attack Threshold This setting affects the number of half open connections allowed A half open connection arises when a remote client contacts the Server with a connection request but then does not r...

Страница 74: ...dely used by VPN Virtual Private Networking programs L2TP L2TP is a protocol developed by Cisco for VPNs Virtual Private Networks Drop fragmented IP packets If enabled fragmented IP packets are discarded forcing re transmission of these packets In some situations this could prevent successful communication Normally this setting should be disabled Block TCP Flood A TCP flood is excessively large nu...

Страница 75: ...f the time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure45 Define Schedule Screen Data Define Schedule Screen Day Each day of the week can scheduled independently Session 1 Session 2 Two 2 separate sessions or periods can be defined Session 2 can be left blank if not required Start Time En...

Страница 76: ...rvice from the list Note that you can only delete Services you have added the pre defined services can not be deleted Add New Service Name Enter a suitable name for this Service Type Select the correct type for this Service Start Port If the Type above is TCP UDP or TCP UDP enter the port number for this Service If a port range is required enter the begin ning of the range here and the end of the ...

Страница 77: ...as two SAs one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes possible with IPSec Transport Mode the payload data part of the packet is encapsulated through encryp tion but the IP header remains in the clear unchanged VRT 311 VRT 311S does NOT support Transp...

Страница 78: ...d only Enable one 1 policy at a time If multiple policies for the same remote site are enabled the policies are examined in the order in which they are listed and the first matching policy will be used While it is possible to change the order of the policies it may not be easy to get the desired action from multiple policies VPN Configuration The general rule is that each endpoint must have matchi...

Страница 79: ...11S requires no VPN configuration since it is not acting as a VPN endpoint Client PC to VPN Gateway Figure48 Client PC to VPN Server In this situation the PC must run appropriate VPN client software in order to connect via the Internet to VRT 311 VRT 311S Once connected the client PC has the same access to LAN resources as PCs on the local LAN unless restricted by the network administrator IPsec i...

Страница 80: ... on each endpoint gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on the remote LAN can be accessed once the VPN connection is established It is possible to have simultaneous VPN connections to many remote sites ...

Страница 81: ...or a particular site In that case the first matching policy for the traffic under consideration will be used Data VPN Policies Screen VPN List Policy Name The name of the policy When creating a policy you should select a suitable name Enable This indicates whether or not the policy is currently enabled Use the Enable Disable button to toggle the state of the selected policy Remote VPN Endpoint The...

Страница 82: ...ate of the selected policy Copy If you wish to create a policy which is similar to an existing policy select the policy and click the Copy button Remember that the new policy must have a different name and there can only be one active enabled policy for each remote VPN endpoint Delete To delete an exiting policy select it and click the Delete button View Log Clicking the View Log button will open ...

Страница 83: ... should not be enabled unless necessary because it increases traffic volume Remote VPN Endpoint The Internet IP address of the remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unknown In this case only incoming connections are possible Fixed Select this if the remote endpoint has a fixed Internet IP address If selected enter the Internet IP address of the rem...

Страница 84: ...cal LAN traffic So it would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is accept able For outgoing connections this allows any PC on the LAN to use the VPN tunnel For incoming connections this allows any PC using the re mote endpoint to access any PC on your LAN Single address enter an IP address in the Start IP address field Range add...

Страница 85: ...s on whether you previously se lected Manual Key Exchange or IKE Manual Key Exchange Figure54 VPN Wizard Manual Key Exchange Screen These settings must match the remote VPN Note that you cannot use both AH and ESP Manually assigned Keys AH Authentication AH Authentication Header specifies the authentication protocol for the VPN header if used AH is often NOT used If AH is not enabled the following...

Страница 86: ... 24 ASCII characters 48 HEX chars If using AES encryption the key input size must match the Key Size selected above ESP Authentication Generally you should enable ESP Authentication There is little difference between the available algorithms Just ensure each endpoint use the same setting The In key here must match the Out key on the remote VPN and the Out key here must match the In key on the remo...

Страница 87: ...omain Name assigned to this device Fully Qualified User name This name does not have to a valid Internet Domain Name E mail addresses are often used for this entry DER ANS 1 DN This must be a DER ANS 1 Domain Name Remote Identity This setting must match the Local Identity on the remote VPN Select the desired option and enter the required data in the Remote Identity Data field IP Address This is th...

Страница 88: ... session but takes slightly longer to complete Aggressive Mode provides no identity protection but is quicker Direction Select the desired option Initiator Only outgoing connections will be created Incoming connection attempts will be rejected Responder Only incoming connections will be accepted Outgoing traffic which would otherwise result in a connection will be ignored Both Directions Both inco...

Страница 89: ...st in breaking the next key AH Authentication AH Authentication Header specifies the authentication protocol for the VPN header if used AH is often NOT used If you do enable it ensure the algorithm selected matches the other VPN endpoint ESP Encryption ESP Encapsulating Security Payload provides security for the payload data sent through the VPN tunnel Generally you will want to enable both ESP En...

Страница 90: ...Router User s Manual 86 For IKE configuration is now complete Click Next to view the final screen Figure57 VPN Wizard Final Screen On the final screen click Finish to save your settings then Close to exit the Wizard ...

Страница 91: ...ote Endpoint 205 17 11 43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restrictive definition if possible Remote IP addresses 192 168 1 1 to 192 168 1 254 192 168 0 1 to 192 168 0 254 Address range on other endpoint Use a more restrictive definition if possible Key Exchange IKE IKE Must match IKE SA Parameters IKE Direction Both ways Both ways Does n...

Страница 92: ...1 768 bit Group 1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not have to match Shorter period will be used IPSec PFS Disabled Disabled Must match AH authentication Disabled Disabled AH is rarely used ESP authentication Enable MD5 Enable MD5 Must match E...

Страница 93: ... addresses Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses 172 16 9 10 For a single client this address is the same as the endpoint address Key Exchange IKE Must match client PC IKE SA Parameters IKE Direction Both ways Using Responder only is not possible Local Identity IP address Required Remote Identity IP ad...

Страница 94: ... authentication Enable MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click IP Security Policy on Local Machine and select Create IP Security Policy Figure60 Windows 2000 XP Local Security Settings 3 Click Next then enter a policy name for example DUT To Win2K then click...

Страница 95: ...es are in use Two 2 rules are required incoming and outgoing The outgoing rule will be added first 6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure62 IP Filter List 7 Type To DUT for the name then click Add to see a screen like the following ...

Страница 96: ...ce IP address is My IP address and the Des tination IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure64 New Rule Properties IP Filter List 10 On the resulting screen above ensure the To DUT filter is selected then click the Filter Action tab to see a screen like the following ...

Страница 97: ... Rule Properties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Proper ties screen Figure66 Require Security Properties 12 Select Negotiate security this selects IKE then click Add ...

Страница 98: ...e Security Properties screen Figure68 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting Windows Setting IKE enabled Negotiate security AH disabled AH Integrity None ESP encryption Enable DES ESP Confidentially DES ESP authentication Enable MD5 ESP Integrity MD5 ...

Страница 99: ...ab then click the Edit to see the screen like the example below Figure70 Authentication Method 17 Select Use this string to protect the key exchange preshared key then enter your pre shared key in the field provided 18 Click OK to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen 19 Click Close to return to the DUT to Win2K properties screen The To D...

Страница 100: ...me enter To Win2K then click Add Figure72 Windows 2000 XP Client to VRT 311 VRT 311S 21 Enter the Source IP address and the Destination IP address as shown below Since this is the incoming filter the Source IP address is the address range used on the remote LAN and the Destination IP address is My IP address Ensure the Mirrored option is checked ...

Страница 101: ...Microsoft VPN 97 Figure73 Filter Properties Addressing 22 Click OK to save your changes then Close Figure74 Filter List 23 Ensure the To Win2K filter is selected then click the Filter Action tab ...

Страница 102: ... Filter Action 24 Select Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure76 Security Methods 25 Click the Add button On the resulting Modify Security Method screen below select High ESP ...

Страница 103: ... then click OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 16 9 10 in this example Figure78 Tunnel Setting 28 Select the Authentication Methods tab and click the Edit button to see the screen below ...

Страница 104: ...o protect the key exchange preshared key then enter your pre shared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Properties screen There should now be 2 IP Filers listed as shown below Figure80 DUT to Win2K Properties 31 Select the General tab ...

Страница 105: ...Microsoft VPN 101 Figure81 Properties General Tab 32 Click the Advanced button to see the screen below Figure82 Key Exchange Settings 33 Click the Methods button to see the screen below ...

Страница 106: ...Algorithms 35 Select SHA1 for Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Security Settings screen 37 Right click the DUT to Win2K Policy and select Assign to make your policy active Figure85 Windows 2000 XP Client to VRT 311 VRT 311S Configuration is now complete ...

Страница 107: ...re86 VRT 311 VRT 311S to Windows 2000 Server VRT 311 VRT 311S Configuration This is the same as for the client setup earlier with the exception of the IP address range for the remote endpoint Setting Single Client Server Gateway Remote IP addresses 172 16 9 10 For a single client this is the same as the Gateway address Subnet address 11 5 0 0 255 255 0 0 Address range used on the remote LAN ...

Страница 108: ...nstead for both IP Filters the Filter Properties Addressing should be completed as follows Figure87 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP address and Subnet mask set to the address range used on VRT 311 VRT 311S s LAN The Destination Address should be set to A specific IP Subnet and the IP address and Subnet mask set to the address range...

Страница 109: ...sted Certificates Screen Trusted Certificates Subject Name CA The Subject Name is always the company or person to whom the Certificate is issued For trusted certificates this will be a CA Issuer Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete button Use this button to de...

Страница 110: ... list The new Certificate will appear in the list Self Certificates Figure90 Self Certificates Screen Data Self Certificates Screen Active Self Certificates Name The name you assigned to this Certificate You should select a name which helps to identify this particular certificate Subject Name The company or person to whom the Certificate is issued Issuer Name The CA Certification Authority which i...

Страница 111: ... this to delete the selected certificate request Upload Certificate After you have received a Certificate use this to upload the certificate to the Broadband VPN Router You must select the correct certificate request so the Broadband VPN Router can correctly match the request and the certificate New Request Button Use this to generate a new request to be supplied to a CA Certifica tion Authority S...

Страница 112: ... 3 Click Next to continue to the following screen Figure92 Self Certificate Request 2 4 Check that the data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous screen 5 If the data is correct copy the text in the Data to supply to CA panel including BEGIN CERTIFICATE ...

Страница 113: ...ate file to VRT 311 VRT 311S Click Back to return to the Self Certificates screen The new Certificate will appear in the Active Self Certificates list CRLs CRLs are only necessary if using Certificates CRL Certificate Revocation List files show Certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is VERY IMPORTANT to keep your CRLs up to date You need to ob...

Страница 114: ...ent time the table will be empty To update the display click the Refresh button If using IKE there is one SA for the IKE connection and another SA for the IPSec con nection For each VPN SA the following data is displayed Figure96 VPN Status Screen Data VPN Status Screen VPN Status SPI Each SA Security Association has a unique SPI For manual keys this SPI is specified by user input If using IKE the...

Страница 115: ...icrosoft VPN 111 Data Rx Measures the quantity of data which has been received via this SA Buttons Refresh Update the data shown on screen View Log Open a new window and view the contents of the VPN log ...

Страница 116: ...s chapter Using Microsoft VPN provides easier setup than using IPSec VPN The following Microsoft VPN configuration screens are provided Server Clients Status Server Setup VRT 311 VRT 311S incorporates a PPTP Peer to Peer Tunneling Protocol server which is compatible with the VPN Adapter provided with recent versions of Microsoft Windows Remote Windows clients are able to connect to this Server Onc...

Страница 117: ...ods The methods are listed with the most secure first least secure last If multiple methods are checked the most secure will be tried first If the remote client does not support this then the other checked methods are tried in order You must enable at least one method Client Database To login to the PPTP Server above using the Microsoft Windows VPN Adapter remote users must be entered in the VPN c...

Страница 118: ...name when they connect The name must not contain spaces punctuation or special characters Login Password Enter the login password The remote user must provide this password when they connect Verify Password Re enter the password above Button Clear Form Use this to prepare the form for a new entry Any existing data will be cleared Add as New User Use this to save the data in the Properties area as ...

Страница 119: ... Status Screen Server Status Status This indicates whether or not the PPTP VPN Server is enabled Current Connec tions This indicates the number of remote clients currently logged into the PPTP VPN Server Server Log Server Log This displays details of each connection or connection attempt You can use the Clear Log button to re start the log making new messages easier to read ...

Страница 120: ...e configured as described in the following sections It is assumed that remote users have a Broadband not dial up connection to the Internet Windows 98 ME 1 Click Start Settings Dial up Networking 2 Select Make New Connection Figure100 Windows ME VPN Adapter 3 Type a name for this connection and ensure that Microsoft VPN Adapter is selected Click Next to continue Figure101 Windows ME VPN Remote Hos...

Страница 121: ...ble the setting This is the default Internet connection on the Dialing tab Do NOT enable this setting if using Dial up or PPPoE client software Figure102 Windows ME VPN Dialing Properties To establish a connection 1 Ensure you are connected to the Internet 2 Select Start Settings Dial up Networking 3 Double click the new VPN entry in Dial up Networking 4 Enter your User name and Password as record...

Страница 122: ... Windows 2000 Network Connection 2 Select the VPN option Connect to a private network through the Internet as shown above and click Next Figure104 Windows 2000 Public Network 3 On the screen above Select Do not dial the initial connection if Internet access is via the LAN If using a PPPoE software client select Automatically dial this initial connection and select the PPPoE connection Click Next t...

Страница 123: ...ve enter the Domain Name or Internet IP address of VRT 311 VRT 311S you wish to connect to Click Next to continue Figure106 Windows 2000 Connection Availability 5 Choose whether to allow this connection for everyone or only for yourself as required Click Next to continue ...

Страница 124: ...ed in the VPN client database on VRT 311 VRT 311S 3 You can choose to have Windows remember the password if desired so you do not have to enter it again Changing the connection settings The PPTP VPN Server in VRT 311 VRT 311S is designed to work with the default Win dows settings If necessary you can change the Windows settings by right clicking the VPN connection in Network Connections and select...

Страница 125: ... Settings Network Connections and start the New Connection Wizard Figure108 Windows XP Network Connection Type 2 Select the option Connect to the network at my workplace as shown above and click Next Figure109 Windows XP Network Connection 3 On the next screen shown above select the Virtual Private Network connection option Click Next to continue ...

Страница 126: ... Windows XP Connection Name 4 Enter a suitable name for this connection Click Next to continue Figure111 Windows XP Public Network 5 On the screen above select Do not dial the initial connection Click Next to continue Figure112 Windows XP VPN Server ...

Страница 127: ...ou will then be prompted for the username and password Enter the username and pass word assigned to you as recorded in the VPN client database on VRT 311 VRT 311S 3 You can choose to have Windows remember the password if desired so you do not have to enter it again Changing the connection settings The PPTP VPN Server in VRT 311 VRT 311S is designed to work with the default Win dows settings If nec...

Страница 128: ...ins all the configuration data Network Diagnostics Ping DNS Lookup PC Database This is the list of PCs shown when you select the DMZ PC Virtual Server or Internet Application This database is maintained automati cally but you can add and delete entries for PCs which use a Fixed Static IP Address Remote Admin This feature allows you to manage VRT 311 VRT 311S via the Inter net Routing Only required...

Страница 129: ...low Figure114 Config File Screen Data Config File Screen Backup Config Use this to download a copy of the current configuration and store the file on your PC Click Download to start the download Restore Config This allows you to restore a previously saved configuration file back to VRT 311 VRT 311S Click Browse to select the configuration file then click Restore to upload the configuration file WA...

Страница 130: ...s on the Internet and no connection currently exists you could get a Timeout error In that case wait a few seconds and try again Ping Button After entering the IP address click this button to start the Ping procedure The results will be displayed in the Ping Results pane DNS Lookup Internet name Enter the Domain name or URL for which you want a DNS Domain Name Server lookup Note that if the addres...

Страница 131: ...Clients are automatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically VRT 311 VRT 311S uses the Hardware Address to identify each PC not the name or IP address The Hardware Address can only change if you change the PC s network card or adapter This system means you do NOT need ...

Страница 132: ... not connected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available not con nected or not powered On you will not be able to add it Delete Delete the selected PC from the list This should be done in 2 situa tions The PC has been removed from your LAN The entry is inc...

Страница 133: ...P Address Select the appropriate option Automatic The PC is set to be a DHCP client Windows Ob tain an IP address automatically VRT 311 VRT 311S will allocate an IP address to this PC when requested to do so The IP address could change but normally won t DCHP Client Reserved IP Address Select this if the PC is set to be a DCHP client and you wish to guarantee that VRT 311 VRT 311S will always allo...

Страница 134: ... this the MAC address can NOT be left blank Buttons Add as New Entry Add a new PC to the list using the data in the Properties box If Automatic discovery for MAC address is selected the PC will be sent a ping to determine its hardware address This will fail unless the PC is connected to the LAN and powered on Update Selected PC Update modify the selected PC using the data in the Properties box Cle...

Страница 135: ... device NOT the LAN IP address and the port number as follows HTTPS ip_address port_number Where ip address is the Internet IP address of this device port number is the port number assigned on this screen 4 You should then be prompted for the password for this device You must assign a password Settings Enable Check this to allow administration management via the Internet To connect see above If Di...

Страница 136: ...ss This allows you to restrict remote access by IP address Select the desired option Everyone Remote user s IP address is not checked IP address range Only IP addresses in the range specified will be allowed If selected you must enter the Start and Finish IP addressses Only this PC Only the specified IP address is allowed If selected you must enter an IP address in the field provided To connect fr...

Страница 137: ...RT 311S and ensure the following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Routing RIP In the Details pane right click the interface you want to configure for RIP version 2 and then click Properties On the General tab set Outgoing packet protocol to RIP version 2 broadcast and Incoming packet protocol to RIP...

Страница 138: ...ion Protocol feature of VRT 311 VRT 311S VRT 311 VRT 311S supports RIP 1 only Static Routing Static Routing Table Entries This list shows all entries in the Routing Table The Properties area shows details of the selected item in the list Change any the properties as required then click the Update button to save the changes to the selected entry ...

Страница 139: ...cted in the list is ignored and has no effect Update Update the current Static Routing Table entry using the data shown in the Properties area on screen Delete Delete the current Static Routing Table entry Clear Form Clear all data from the Properties area ready for input of a new entry for the Static Routing table Generate Report Generate a read only list of all entries in the Static Routing tabl...

Страница 140: ...ets to another router before reaching VRT 311 VRT 311S s local router the Gateway IP Address is the address of the intermediate router Static Routing Example Figure120 Routing Example For VRT 311 VRT 311S s Routing Table For the LAN shown above with 2 routers and 3 LAN segments VRT 311 VRT 311S requires 2 entries as follows Entry 1 Segment 1 Destination IP Address 192 168 1 0 Network Mask 255 255 ...

Страница 141: ...tion IP Address 0 0 0 0 Network Mask 0 0 0 0 Gateway IP Address 192 168 0 1 VRT 311 VRT 311S s IP Address Interface LAN For Router B s Default Route Destination IP Address 0 0 0 0 Network Mask 0 0 0 0 Gateway IP Address 192 168 1 80 VRT 311 VRT 311S s local router Interface LAN ...

Страница 142: ...file Select this file Start Upgrade Click this button to start the Firmware upgrade Note than any users accessing the Internet via VRT 311 VRT 311S will lose their connection When the upgrade is finished VRT 311 VRT 311S will restart and this management connection will be unavailable during the restart Cancel Cancel does NOT stop the Upgrade process if it has started It only clears the input for t...

Страница 143: ...nP users can change the configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Windows XP who access the Properties via UPnP e g Right click VRT 311 VRT 311S in My Network Places and select Properties Allow Internet access to be disabled If checked then UPnP users can disable Internet access via this device If Disabled UPnP...

Страница 144: ...168 0 254 and thus com patible with VRT 311 VRT 311S s default IP Address of 192 168 0 1 Also the Network Mask should be set to 255 255 255 0 to match VRT 311 VRT 311S In Windows you can check these settings by using Control Panel Network to check the Properties for the TCP IP protocol Internet Access Problem 1 When I enter a URL or IP address I get a time out error Solution 1 A number of things c...

Страница 145: ...parent Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this does solve the problem you can use the DMZ function This should work with almost every application but It is a security risk since the firewall is disabled Only one 1 PC can use this feature ...

Страница 146: ...n accordance with the instructions may cause harmful interference to radio communica tions However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the fo...

Страница 147: ...ditions 1 This device may not cause harmful interference and 2 This device must accept any interference received including interference that may cause undesired operation This transmitter must not be co located or operating in conjunction with any other antenna or transmitter CE Marking Warning CE Standards This product complies with the 99 5 EEC directives including the following safety and EMC s...

Результаты поиска

Содержание VRT-311

Отзывы:

Похожие инструкции для VRT-311

Бренды по названию

Популярные бренды

Planet Networking & Communication VRT-311, Руководство пользователя

Результаты поиска

Содержание VRT-311

Отзывы:

Похожие инструкции для VRT-311

Бренды по названию

Популярные бренды